GOOGLE Associate Cloud Engineer Exam Questions 2025

A. Enable Private Service Access on the Cloud Storage Bucket.

Private Service Access is used to connect your VPC to Google-managed services (like Cloud SQL) that reside in a separate, Google-owned VPC. It is not applicable for accessing global APIs like Cloud Storage.

B. Add storage.googleapis.com to the list of restricted services in a VPC Service Controls perimeter and add your project to the list to protected projects.

VPC Service Controls is a security feature to prevent data exfiltration by creating a service perimeter. It does not provide the network connectivity needed for an internal-only VM to reach the service in the first place.

D. Deploy a Cloud NAT instance and route the traffic to the dedicated IP address of the Cloud Storage bucket.

Cloud NAT is primarily used to provide instances without external IPs with outbound access to the public internet. This violates the stated security policy. Private Google Access is the specific feature for accessing Google APIs privately.

1. Google Cloud Documentation, "Private Google Access overview": "With Private Google Access, VMs that only have internal IP addresses (no external IP addresses) can reach the external IP addresses of Google APIs and services. [...] You can use Private Google Access to access the external IP addresses of most Google APIs and services, including Cloud Storage..." This directly supports option C.

2. Google Cloud Documentation, "Choose a Cloud NAT product": "Cloud NAT enables Google Cloud virtual machine (VM) instances without external IP addresses and GKE clusters to connect to the internet." This confirms that Cloud NAT is for internet access, making option D incorrect as it violates the policy.

3. Google Cloud Documentation, "Private Service Access": "Private service access is a private connection between your VPC network and a network in a Google or third-party service. [...] For example, you can use private service access to connect to Cloud SQL..." This shows that option A is for a different type of service connection.

4. Google Cloud Documentation, "VPC Service Controls overview": "VPC Service Controls helps you mitigate the risk of data exfiltration from your Google-managed services..." This confirms that VPC Service Controls (option B) is a security measure, not a connectivity solution for this scenario.

B: This option is incomplete. While having the correct permissions (like Organization Administrator) is necessary for the move, it omits the explicit and critical step of changing the project's billing account.

C: This is an overly complex and incorrect approach. Private Catalog is for managing and deploying approved solutions, not for migrating existing production projects. This method would require recreating all resources, leading to significant effort and downtime.

D: This method involves recreating the entire project's infrastructure from code, which is the opposite of "minimal effort." It doesn't move the existing project but rather creates a new one, requiring a separate, complex data migration strategy and causing service disruption.

---

1. Official Google Cloud Documentation - Moving a project:

"When you move a project, its original billing account will continue to be used... To change the billing account, you must have the billing.projectManager role on the destination billing account and the resourcemanager.projectBillingManager role on the project." This confirms that moving the project and changing the billing account are two separate, required steps.

Source: Google Cloud Documentation, Resource Manager, "Moving a project", Section: "Effect on billing".

2. Official Google Cloud Documentation - gcloud projects move:

The command gcloud projects move is the command-line interface for the projects.move API method. The documentation outlines the process for moving a project to a new organization or folder.

Source: Google Cloud SDK Documentation, gcloud projects move.

3. Official Google Cloud Documentation - Modifying a project's billing account:

"You can change the billing account that is used to pay for a project." This page details the permissions and steps required to link a project to a different billing account, confirming it is a distinct action from moving the project's resource hierarchy.

Source: Google Cloud Billing Documentation, "Enable, disable, or change billing for a project".

B. Identity and Access Management (IAM) policies grant permissions to principals (who can do what), but they do not enforce constraints on resource attributes like location (where).

C. This is incorrect for the same reason as B; IAM is the wrong tool for enforcing location-based restrictions. This is the specific purpose of the Organization Policy Service.

D. This is incorrect for two reasons: IAM does not control resource locations, and policies are bound to resources (like projects or folders), not to roles.

1. Google Cloud Documentation, "Restricting resource locations": "To restrict the locations where your organization's resources can be created, you can use a resource locations organization policy. The resource locations organization policy constraint is gcp.resourceLocations." This document explicitly states that the gcp.resourceLocations constraint is the correct tool.

2. Google Cloud Documentation, "Organization Policy Constraints", gcp.resourceLocations: "Defines the set of locations where location-based Google Cloud resources can be created... This constraint will be checked at resource creation time." This confirms the specific constraint and its function.

3. Google Cloud Documentation, "Resource hierarchy for access control": "The Google Cloud resource hierarchy allows you to group projects under folders, and folders and projects under the organization... Policies set at higher levels in the hierarchy are inherited by the resources below them." This supports using a folder to apply the policy to multiple projects efficiently.

4. Google Cloud Documentation, "Overview of IAM": "IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources... IAM lets you adopt the security principle of least privilege". This documentation clarifies that IAM's focus is on permissions, not resource configuration constraints like location.

A. A CNAME record cannot be used for the zone apex (mydomain.com). Additionally, A records map hostnames to IP addresses, not to other hostnames.

B. A CNAME record cannot be used for the zone apex. AAAA records are for mapping to IPv6 addresses, not for aliasing one hostname to another.

D. NS (Name Server) records are used to delegate a DNS zone to a set of authoritative name servers, not to point a hostname to an IP address or another hostname.

1. Google Cloud Documentation, Cloud DNS, "Add, modify, and delete records": Under the section for "CNAME record," the documentation states, "A CNAME record cannot exist at the zone apex." This directly invalidates options A and B. The documentation also defines an "A record" as mapping a domain name to an IPv4 address, which is the correct use case for the apex domain in this scenario.

2. Google Cloud Documentation, Cloud DNS, "Supported DNS record types": This page details the function of each record type. It confirms that A records are for IPv4 addresses, CNAMEs are for canonical names (aliases), and NS records are for name server delegation, supporting the reasoning for selecting C and rejecting D.

3. Internet Engineering Task Force (IETF), RFC 1034, "DOMAIN NAMES - CONCEPTS AND FACILITIES", Section 3.6.2: This foundational document for DNS specifies the CNAME rule: "If a CNAME RR is present at a node, no other data should be present". Since the zone apex must have SOA and NS records, a CNAME cannot be placed there. This provides the technical basis for why options A and B are incorrect.

4. Internet Engineering Task Force (IETF), RFC 1912, "Common DNS Operational and Configuration Errors", Section 2.4: This document clarifies common mistakes and states, "A CNAME record is not allowed to coexist with any other data. In other words, if suzy.podunk.xx is an alias for sue.podunk.xx, you can't also have an MX record for suzy.podunk.xx." This reinforces the rule against using a CNAME at the zone apex.

B: This option incorrectly describes an egress rule. The destination for an egress rule must be an IP CIDR range, not a target network tag. A target tag is used for ingress rules.

C: The firewall rule described is overly permissive. It allows traffic from all VPC IP addresses to the entire database subnet, which violates the requirement to only allow traffic from the application servers.

D: This option incorrectly describes an egress rule. The destination for an egress rule must be an IP CIDR range, not a target service account. A target service account is used for ingress rules.

1. Google Cloud Documentation - VPC firewall rules: "For ingress rules, you can use service accounts to define the source. For egress rules, you can use service accounts to define the destination... Using service accounts for the source of ingress rules and the destination of egress rules is more specific than using network tags." This supports using service accounts for source/target specification.

2. Google Cloud Documentation - Use firewall rules: Under the "Components of a firewall rule" section, the table for "Source for ingress rules" lists "Source service accounts". The table for "Destination for egress rules" lists only "Destination IPv4 or IPv6 ranges". This confirms that options B and D, which specify a target tag or service account for an egress rule's destination, are invalid configurations.

3. Google Cloud Documentation - Firewall rules overview: "You can configure firewall rules by using network tags or service accounts... If you need stricter control over rules, we recommend that you use service accounts instead of network tags." This highlights that the approach in option A is a recommended best practice for secure configurations.

A. While the gcloud CLI can deploy Marketplace solutions, it is generally more complex and less intuitive than using the graphical user interface, contradicting the "quick and easy" requirement.

C. Using Terraform is an excellent practice for infrastructure-as-code and repeatable deployments, but it requires writing configuration files and is more involved than a direct deployment from the Marketplace UI.

D. A manual installation using the provider's guide is the most time-consuming and complex option. It requires manually provisioning infrastructure and handling all software dependencies and configurations.

1. Google Cloud Documentation, "Overview of Google Cloud Marketplace": The documentation states, "Google Cloud Marketplace lets you quickly deploy functional software packages that run on Google Cloud... Some solutions are free to use, and for others, you pay for the software, or for the Google Cloud resources that you use, or both." This confirms the Marketplace is the intended tool for quick deployments.

2. Google Cloud Documentation, "Deploying a VM-based solution": This guide details the process of deploying a solution directly from the Marketplace console. The steps involve selecting a product and filling out a simple web form, after which "Cloud Deployment Manager deploys the solution for you." This demonstrates the ease of use compared to CLI or manual methods.

3. Google Cloud Documentation, "Deploying a solution by using Terraform": This document outlines the multi-step process for using Terraform, which includes creating a .tf configuration file. This confirms that while possible, it is not the simplest or quickest method for a one-time deployment.

B. This approach decentralizes billing, creating significant administrative overhead and making cost tracking nearly impossible. It also contradicts the goal of not using engineers' personal payment information.

C. Invoiced billing is a payment option, not the mechanism that enables project creation. A startup may not meet the eligibility criteria, and this option omits the crucial step of granting permissions.

D. A Purchase Order (PO) is a financial instrument used with invoiced billing for tracking purposes. It does not solve the core problem of granting engineers permission to use a central billing account.

1. Google Cloud Documentation, "Overview of Cloud Billing concepts": This document states, "A Cloud Billing account is set up in Google Cloud and is used to pay for usage costs in your Google Cloud projects... To use Google Cloud resources in a project, billing must be enabled on the project. Billing is enabled when the project is linked to an active Cloud Billing account." This supports the fundamental need for a central billing account linked to projects.

2. Google Cloud Documentation, "Control access to Cloud Billing accounts with IAM," Section: "Billing account permissions": This page details the permissions required to manage billing. Specifically, the billing.projects.link permission "allows a user to link projects to the billing account." This is the exact permission needed by the engineers in the scenario.

3. Google Cloud Documentation, "Understand predefined Cloud Billing IAM roles," Section: "Billing Account User": The roles/billing.user role is described as granting permissions to link projects to a billing account. This is the standard role assigned to users who need to create projects under a corporate billing account.

4. Google Cloud Documentation, "Request invoiced billing," Section: "Eligibility requirements": This document outlines the criteria for invoiced billing, which includes being a registered business for at least one year and having a minimum spend, confirming that a 6-month-old startup might not qualify.

A. The cloudresourcemanager.googleapis.com API is for programmatically managing projects, folders, and organizations. It does not enable other services like Compute Engine or Cloud Storage.

C. Enabling all APIs is a significant security risk as it violates the principle of least privilege. It exposes the project to services that are not needed, increasing the potential attack surface.

D. The gcloud init command is used to initialize or configure settings for the gcloud command-line tool, such as the default project, account, and region. It does not enable any APIs.

1. Official Google Cloud Documentation, Enabling and disabling services: "Before you can use a Google Cloud service, you must first enable the service's API for your Google Cloud project... We recommend that you enable APIs for only the services that your apps actually use." This supports the principle of enabling specific APIs. The page also provides the syntax gcloud services enable SERVICENAME, which matches option B.

Source: Google Cloud Documentation, "Enabling and disabling services".

2. Official Google Cloud Documentation, gcloud services enable command reference: This document confirms that gcloud services enable [SERVICE]... is the correct command to enable one or more APIs for a project.

Source: Google Cloud SDK Documentation, gcloud services enable.

3. Official Google Cloud Security Foundations Guide, Section 2.3, "Manage IAM permissions": This guide emphasizes the principle of least privilege. While discussing IAM, the principle extends to all resources, including enabling only necessary APIs. "Grant roles at the smallest scope... grant predefined roles instead of primitive roles... to enforce the principle of least privilege."

Source: Google Cloud Security Foundations Guide PDF, Page 13.

4. Official Google Cloud Documentation, gcloud init command reference: This document describes the function of gcloud init as: "Initializes or reinitializes gcloud CLI settings." It makes no mention of enabling APIs, confirming that option D is incorrect.

Source: Google Cloud SDK Documentation, gcloud init.

A. This introduces significant and unnecessary complexity by adding Active Directory. Migrating users and setting up synchronization and federation is a major project when a suitable identity provider is already in place.

C. This is technically incorrect. Google Workspace and Cloud Identity are part of an integrated identity platform; you do not federate between them. It also misapplies MFA to domain-wide delegation instead of user accounts.

D. Introducing a third-party identity provider adds complexity, cost, and another system to manage. Synchronizing from Google Workspace to a third-party provider is also an unconventional and illogical data flow.

1. Using Groups for Access Control: Google Cloud's official documentation on Identity and Access Management (IAM) explicitly recommends using groups to manage roles for multiple users. This simplifies administration and scales effectively.

Source: Google Cloud Documentation, "Best practices for using IAM", Section: "Use groups and roles to manage access".

2. Google Workspace and Cloud Identity Integration: Google Workspace accounts are inherently Cloud Identity accounts. This means there is no need for federation or a separate identity system.

Source: Google Cloud Documentation, "Overview of Cloud Identity and Access Management", Section: "Identities".

3. Enforcing Multi-Factor Authentication (MFA): The Google Workspace Admin help center details how to enforce 2-Step Verification (Google's term for MFA) for all users in an organization to enhance security.

Source: Google Workspace Admin Help, "Protect your business with 2-Step Verification", Section: "Deploy 2-Step Verification".

4. Complexity of Federation: Setting up federation with an external identity provider (as suggested in A and D) is a multi-step process intended for organizations that already have an established external IdP as their source of truth, not for those already using Google Workspace.

Source: Google Cloud Documentation, "Setting up identity federation", provides an overview of the required configuration, highlighting the added complexity.

A. A Managed Instance Group runs on Compute Engine virtual machines. This requires managing the underlying OS and instance configurations, which violates the "do not want to manage the infrastructure" requirement.

B. Google Kubernetes Engine (GKE) in Standard mode requires you to manage the worker node pools (the underlying VMs). This includes tasks like node upgrades and capacity planning, which constitutes infrastructure management.

C. Cloud Storage is designed for object storage, not as a primary repository for Docker images. Furthermore, GKE in Standard mode requires infrastructure management, making this option incorrect on two counts.

1. Google Cloud Documentation, "Cloud Run overview": "Cloud Run is a managed compute platform that lets you run containers directly on top of Google's scalable infrastructure. You can deploy code written in any programming language on Cloud Run if you can build a container image from it. ... With Cloud Run, you don't need to manage infrastructure..."

2. Google Cloud Documentation, "Choosing a compute option": This document compares various compute services. It categorizes Cloud Run as "Serverless" and highlights "No infrastructure management." In contrast, it places Compute Engine (used in option A) under "Infrastructure as a Service (IaaS)" and GKE (used in options B and C) under "Containers as a Service (CaaS)," both of which involve more infrastructure management than serverless options.

3. Google Cloud Documentation, "Artifact Registry overview": "Artifact Registry is a single place for your organization to manage container images and language packages (such as Maven and npm). It is fully integrated with Google Cloud's tooling and runtimes..." This confirms Artifact Registry as the correct repository for Docker images.

4. Google Cloud Documentation, "Comparing GKE cluster modes: Autopilot and Standard": "In Standard mode, you manage your cluster's underlying infrastructure, which gives you node configuration flexibility." This statement confirms that GKE Standard mode involves infrastructure management, which the question explicitly seeks to avoid.